Free Information Xchange presents: Star Wars Episode 1 Racer - CD crack by Static Vengeance - May 26th, 1999 REQUIREMENTS: Full game install W32Dasm & Hex editor With all the hype about the new Star Wars movie (episode 1) you just knew there were going to be games based on it. Star Wars Episode 1 Racer is just such a game. The game requires a 3D accelerator and makes good use of it as well! With dual voodoo 2 cards the game looks fantasic and with all the options turned on (or on high) runs quit fast. The cut scenes are very good and the game play is great so this game is well worth the money to buy. I just have two minor problems with this racer. First, once you've seen the animations (cut scene movies) you really don't need to seem them every time you play the game. Second is a little program bug so commonly found in todays games, and that is the copy protection used. Why do they always make you have the original CD in the drive just to play the darn game? Like any game you'll be playing alot you don't want to hunt down the original CD to play it. Also if you have kids you'll want to make sure the CD is protected from harm. The best way to do that is not to have the game require the CD! With a little effort on your part and a little guidance on my part you'll be able to do that with this game. If you install the game and run it you'll notice that you'll need to put the CD in the drive. One of the reasons this is needed is due to the fact that the music files and all of the animations are kept on the CD to keep the game install size down. Fair enough, but what if we kill the animations and copy the music files to the hard drive? Then we can track down the CD check and kill that as well. We'll end up with a cracked copy of the game we can play anytime without the need for the CD to be in the CD Rom drive. So let's get started on our quest. Install the game and you'll see two exe files. The first one is basicly a loader, but it has some very important features. When you first run the game it's the file racer.exe that let's you choose your 3D card and resolution. Otherwise you're limited the stock 640x480 @ 16 bit color. Hey!, we've got big monitors and high powered 3D cards and we want to use higher res, right? So we'll need to kill the CD check in that file. The other file is of course the main game program called swep1rcr.exe and we'll need to track down the CD check in that file as well. So disassemble racer.exe and do the usual trick: Go up to the menu bar and select "Refs" and then "String Data Refs" from the drop down menu. When the refs pop-up box comes up, grab the slider bar and start scrolling down looking for anything that looks interesting. Eventualy, if you're paying attention, you'll find a ref of "/LNCH099/Please insert the CD " Double click on that and you'll be put in the middle of some routine. However this string comes up 3 times so you'll have to look at the surounding code to see which one is the one that is the CD check. So checking around a bit with the second occurrance you'll see some interesting things: -- Program Code -- :00404856 8D95F0FEFFFF lea edx, dword ptr [ebp+FFFFFEF0] :0040485C 52 push edx :0040485D E8BE7D0000 call 0040C620 :00404862 83C408 add esp, 00000008 * Possible StringData Ref from Data Obj ->"Star Wars: Episode I Racer\" | :00404865 68ACCC4200 push 0042CCAC :0040486A 8D85F0FEFFFF lea eax, dword ptr [ebp+FFFFFEF0] :00404870 50 push eax :00404871 E8AA7D0000 call 0040C620 :00404876 83C408 add esp, 00000008 * Possible StringData Ref from Data Obj ->"v1.0" | :00404879 68C8CC4200 push 0042CCC8 :0040487E 8D8DF0FEFFFF lea ecx, dword ptr [ebp+FFFFFEF0] :00404884 51 push ecx :00404885 E8967D0000 call 0040C620 :0040488A 83C408 add esp, 00000008 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004048D5(U) | :0040488D 6A00 push 00000000 <-- Push a 0 on the stack :0040488F E80F570000 call 00409FA3 <-- First call instruction before the CD request :00404894 83C404 add esp, 00000004 <-- Fix stack due to push command :00404897 85C0 test eax, eax <-- Test eax for value :00404899 753C jne 004048D7 <-- Conditional jump before asking for the CD!! :0040489B 6A01 push 00000001 * Possible StringData Ref from Data Obj ->"/LNCH073/Error" | :0040489D 68D0CC4200 push 0042CCD0 :004048A2 E844090000 call 004051EB :004048A7 83C404 add esp, 00000004 :004048AA 50 push eax * Possible StringData Ref from Data Obj ->"/LNCH099/Please insert the CD " <-- What got us here and why ->"into your CD-ROM player and try " <-- we're doing this ->"again." | :004048AB 68E0CC4200 push 0042CCE0 :004048B0 E836090000 call 004051EB :004048B5 83C404 add esp, 00000004 :004048B8 50 push eax :004048B9 6A00 push 00000000 * Reference To: USER32.MessageBoxA, Ord:01BEh <-- Post a windows pop-up message box | :004048BB FF1530344200 Call dword ptr [00423430] :004048C1 89857CFDFFFF mov dword ptr [ebp+FFFFFD7C], eax :004048C7 83BD7CFDFFFF02 cmp dword ptr [ebp+FFFFFD7C], 00000002 :004048CE 7505 jne 004048D5 :004048D0 E91E010000 jmp 004049F3 <-- Jump back up to the mystery call!! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004048CE(C) | :004048D5 EBB6 jmp 0040488D * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404899(C) | :004048D7 E831510000 call 00409A0D <-- We want to get at least this far :004048DC 8985E4FDFFFF mov dword ptr [ebp+FFFFFDE4], eax :004048E2 83BDE4FDFFFF04 cmp dword ptr [ebp+FFFFFDE4], 00000004 :004048E9 7F40 jg 0040492B * Possible StringData Ref from Data Obj ->"/LNCH075/Star Wars: Episode I " ->"Racer" | :004048EB 6828CD4200 push 0042CD28 :004048F0 E8F6080000 call 004051EB -- Continuing Program Code -- That's interesting to me, first you have a call then, the code tests eax for a zero value. If eax is not zero the code jumps over asking for the CD! However, if eax is zero then up comes a windows message box asking for the CD. Then the code checks to see your response and will either exit to windows or loop back up to the mystery call! Well, let's take a closer look at that call and see what it's doing: * Referenced by a CALL at Address: |:0040488F <-- Only called once! | :00409FA3 55 push ebp :00409FA4 8BEC mov ebp, esp :00409FA6 81EC10040000 sub esp, 00000410 :00409FAC E82FFFFFFF call 00409EE0 :00409FB1 8885FCFEFFFF mov byte ptr [ebp+FFFFFEFC], al :00409FB7 C685FDFEFFFF00 mov byte ptr [ebp+FFFFFEFD], 00 * Possible StringData Ref from Data Obj ->":\" <-- Pushes a pointer to ":\" as in "D:\" | :00409FBE 6814ED4200 push 0042ED14 :00409FC3 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC] :00409FC9 50 push eax :00409FCA E851260000 call 0040C620 :00409FCF 83C408 add esp, 00000008 :00409FD2 8D8DF4FCFFFF lea ecx, dword ptr [ebp+FFFFFCF4] :00409FD8 51 push ecx :00409FD9 E8CCFCFFFF call 00409CAA :00409FDE 83C404 add esp, 00000004 :00409FE1 8D95FCFEFFFF lea edx, dword ptr [ebp+FFFFFEFC] :00409FE7 52 push edx :00409FE8 8D85F0FBFFFF lea eax, dword ptr [ebp+FFFFFBF0] :00409FEE 50 push eax :00409FEF E81C260000 call 0040C610 :00409FF4 83C408 add esp, 00000008 :00409FF7 8D8DF4FCFFFF lea ecx, dword ptr [ebp+FFFFFCF4] :00409FFD 51 push ecx :00409FFE 8D95F0FBFFFF lea edx, dword ptr [ebp+FFFFFBF0] :0040A004 52 push edx :0040A005 E816260000 call 0040C620 :0040A00A 83C408 add esp, 00000008 :0040A00D 8D85F0FBFFFF lea eax, dword ptr [ebp+FFFFFBF0] :0040A013 50 push eax :0040A014 E866FBFFFF call 00409B7F :0040A019 83C404 add esp, 00000004 :0040A01C 85C0 test eax, eax :0040A01E 745A je 0040A07A :0040A020 837D0800 cmp dword ptr [ebp+08], 00000000 :0040A024 744D je 0040A073 :0040A026 6A00 push 00000000 :0040A028 6A00 push 00000000 :0040A02A 6A00 push 00000000 :0040A02C 6A00 push 00000000 :0040A02E 6A00 push 00000000 :0040A030 6804010000 push 00000104 :0040A035 8D8DF8FDFFFF lea ecx, dword ...
cyGan1964